Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. Last week, there were 215 vulnerabilities disclosed in 180 WordPress Plugins and 17 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 65 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 33,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WAF-RULE-891 – Data redacted while we work with the vendor on a patch. Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 98 Unpatched 117 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Low Severity 2 Medium Severity 156 High Severity 48 Critical Severity 9 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Missing Authorization 75 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 60 Cross-Site Request Forgery (CSRF) 16 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 11 Exposure of Sensitive Information to an Unauthorized Actor 10 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 10 Improper Privilege Management 6 Incorrect Privilege Assignment 5 Improper Control of Generation of Code ('Code Injection') 4 Server-Side Request Forgery (SSRF) 4 Unrestricted Upload of File with Dangerous Type 4 Deserialization of Untrusted Data 3 Authorization Bypass Through User-Controlled Key 2 Improper Access Control 1 Improper Authentication 1 Improper Authorization 1 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 1 Incorrect Authorization 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Nabil Irawan 25 Phat RiO 24 João Pedro S Alcântara (Kinorth) 22 Skalucy 10 theviper17y 9 0x34rth 7 Legion Hunter 6 Muhammad Nur Ibnu Hubab (Ibnu) 6 daroo 6 0xd4rk5id3 5 type5afe 5 zaim 5 afnaan 5 Athiwat Tiprasaharn (Jitlada) 5 Sarawut Poolkhet (MisterHelloz) 4 NumeX 4 Jarno Vos (jarnovos) 3 benzdeus 3 Muhammad Yudha - DJ 3 Mdr 3 andrea bocchetti 3 Abdulsamad Yusuf (0xVenus) 3 Trương Hữu Phúc (truonghuuphuc) 2 Rapid0nion 2 Doan Dinh Van (DinhVan52) 2 Itthidej Aramsri (Boeing777) 2 WPscan 2 shark3y 2 Moose Love 2 Arkadiusz Hydzik 2 Kazuma Matsumoto 2 Dmitrii Ignatyev 2 Lior Yeshayahu 2 Webbernaut 1 Mohammad Amin Hajian (mamadrce) 1 Pouria Shahba (p0or1ya) 1 stealthcopter 1 Que Thanh Tuan 1 Balamurugan R 1 kr0d 1 MD ISMAIL 1 Williwollo (CybrX) 1 Mohamad Fattyr 1 Vilaysone CHANTHAVONG (0xJ0cKkY) 1 mikemyers 1 Md. Moniruzzaman Prodhan (NomanProdhan) 1 Ryan Kozak 1 johska 1 Waris Damkham 1 vgo0 1 Kai Aizen 1 Khaled Alenazi (Nxploited) 1 Osvaldo Noe Gonzalez Del Rio (Os) 1 ChamlaVic 1 Drew Webber (mcdruid) 1 Sergej Ljubojevic 1 Boris Bogosavac 1 Hector Ruiz Ruiz 1 MD. TAREQ AHAMED JONY (itztrq) 1 blue0x1 1 Paolo Tresso 1 knani alaaeddine (iwd) 1 wackydawg 1 Bonds 1 w41bu1 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug ABG Rich Pins abg-rich-pins Academy LMS – WordPress LMS Plugin for Complete eLearning Solution academy Accordion – Add Horizontal / Vertical Accordion in WP b-accordion AdForest Elementor adforest-elementor Admin login URL Change admin-login-url-change Administrative Shortcodes administrative-shortcodes AdminQuickbar adminquickbar Advanced Custom Fields: Extended acf-extended Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp AIKTP aiktp Alchemist Ajax Upload alchemist-ajax-upload Alex User Counter user-counter All-in-One Video Gallery all-in-one-video-gallery Alpha Blocks alpha-blocks amr cron manager amr-cron-manager Anything Order by Terms anything-order-by-terms APPExperts – Mobile App Builder for WordPress | WooCommerce to iOS and Android Apps appexperts Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin simply-schedule-appointments ArtPlacer Widget artplacer-widget Automatic Featured Images from Videos automatic-featured-images-from-videos Beaver Builder Page Builder – Drag and Drop Website Builder beaver-builder-lite-version Blockons – Gutenberg blocks for WordPress and WooCommerce websites blockons Booking (Reservation & Appointment) directorist-booking Booking Activities booking-activities Bookingor – Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings bookingor Booter – Bots & Crawlers Manager booter-bots-crawlers-manager BOX NOW Delivery box-now-delivery Broadstreet broadstreet BuddyPress buddypress Canto Testimonials canto-testimonials Cloudinary – Deliver Images and Videos at Scale cloudinary-image-management-and-manipulation-in-the-cloud-cdn CM CSS Columns cm-css-columns Contact Form 7 GetResponse Extension contact-form-7-getresponse-extension Cookie consent for developers cookie-consent-for-developers Coven - Furniture Store WooCommerce Theme coven-core Creator LMS – The LMS for Creators, Coaches, and Trainers creatorlms CubeWP Framework cubewp-framework Custom Fonts – Host Your Fonts Locally custom-fonts Dinatur dinatur Directorist Social Login directorist-social-login Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy dokan-lite Download After Email – Subscribe & Download Form Plugin download-after-email Easy Property Listings easy-property-listings Easy Theme Options easy-theme-options Ecwid by Lightspeed Ecommerce Shopping Cart ecwid-shopping-cart Edwiser Bridge – WordPress Moodle Integration edwiser-bridge ElementCamp element-camp Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) wp-event-solution ExpressTechSoftwares Addon for MemberPress and Discord expresstechsoftwares-memberpress-discord-add-on File Manager for Google Drive – Integrate Google Drive integrate-google-drive Final User final-user Fitness Trainer- Training Membership Plugin fitness-trainer FlatPM – Ad Manager, AdSense and Custom Code flatpm-wp FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration fluent-boards Fraud Prevention For WooCommerce and EDD woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers Friendly Functions for Welcart friendly-functions-for-welcart Frontis Blocks — Block Library for the Block Editor frontis-blocks GDPR CCPA Compliance & Cookie Consent Banner ninja-gdpr-compliance GeoDirectory – WP Business Directory Plugin and Classified Listings Directory geodirectory GZSEO gzseo Happy Addons for Elementor happy-elementor-addons HD Quiz hd-quiz Head Meta Data head-meta-data Homey Core homey-core Hospital Doctor Directory hospital-doctor-directory Hotel Listings hotel-listing Hustle – Email Marketing, Lead Generation, Optins, Popups wordpress-popup Hydra Booking — Appointment Scheduling & Booking Calendar hydra-booking Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite iNET Webkit inet-webkit Institutions Directory institutions-directory Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms cf7-hubspot iRobots.txt SEO irobotstxt-seo JavaScript Notifier javascript-notifier JobBank - WordPress Job manager plugin jobbank JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin jobwp JustClick registration plugin justclick-subscriber Kalrav AI Agent kalrav-ai-agent Kentha Elementor Widgets kentha-elementor KiviCare – Clinic & Patient Management System (EHR) kivicare-clinic-management-system Koko Analytics – Privacy+Friendly statistics for WordPress koko-analytics LA-Studio Element Kit for Elementor lastudio-element-kit Lawyer Directory lawyer-directory LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart lazytasks-project-task-management LeadBI Plugin for WordPress leadbi LearnPress – WordPress LMS Plugin for Create and Sell Online Courses learnpress LifePress lifepress ListingHub listinghub Listivo Core listivo-core Login Page Editor login-page-editor MailerLite – WooCommerce integration woo-mailerlite Materialis Companion materialis-companion Media Library File Size media-library-file-size Melapress Role Editor melapress-role-editor Meta-box GalleryMeta meta-box-gallerymeta MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor metform Moderate Selected Posts moderate-selected-posts Monetag Official Plugin monetag-official Movie Booking movie-booking My auctions allegro my-auctions-allegro-free-edition My Post Order my-posts-order MyHome Core myhome-core Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization nelio-ab-testing Nelio Content – Editorial Calendar & Social Media Auto-Posting nelio-content Newsletter – Send awesome emails from WordPress newsletter Nexter Extension – Site Enhancements Toolkit nexter-extension NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar notificationx Omnipress omnipress Order Notification for WooCommerce – Get Audio Alert on new Orders woc-order-alert Paid Downloads paid-downloads PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) peachpay-for-woocommerce Photo Gallery by 10Web – Mobile-Friendly Image Gallery photo-gallery Pie Register – User Registration, Profiles & Content Restriction pie-register Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, User Badges, Gamification points-and-rewards-for-woocommerce Poll, Survey & Quiz Maker Plugin by Opinion Stage social-polls-by-opinionstage Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX ultimate-post Postalicious postalicious Protección de datos – RGPD proteccion-datos-rgpd Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player radio-player ravpage ravpage Real Estate Pro - WordPress Plugin real-estate-pro RealHomes CRM realhomes-crm Responsive Contact Form Builder & Lead Generation Plugin lead-form-builder Responsive Header Plugin responsive-header RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging wp-rss-aggregator Ryviu – Product Reviews for WooCommerce ryviu Salon Booking System – Free Version salon-booking-system Same Category Posts same-category-posts Save as PDF Plugin by PDFCrowd save-as-pdf-by-pdfcrowd Scalenut scalenut Schema & Structured Data for WP & AMP schema-and-structured-data-for-wp Send Notifications from Woocommerce, Form Plugins and More! notifier SEO Booster seo-booster Set Bulk Post Categories set-bulk-post-categories ShoutOut shoutout Simple Crypto Shortcodes simple-crypto-shortcodes SiteLock Security – WP Hardening, Login Security & Malware Scans sitelock Star Review Manager star-review-manager SumUp Payment Gateway For WooCommerce sumup-payment-gateway-for-woocommerce SurveyJS: Drag & Drop Form Builder surveyjs Tabby Checkout tabby-checkout Table of Contents Creator table-of-contents-creator TableOn – WordPress Posts Table Filterable  posts-table-filterable TaxCloud for WooCommerce simple-sales-tax Textmetrics webtexttool The Events Calendar the-events-calendar ThemeRuby Multi Authors – Assign Multiple Writers to Posts themeruby-multi-authors Timeline Event History timeline-event-history Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration Tutor LMS – eLearning and online course solution tutor Ultra Portfolio ultra-portfolio Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin uncanny-automator UPI QR Code Payment Gateway for WooCommerce upi-qr-code-payment-for-woocommerce User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin user-registration User Submitted Posts – Enable Users to Submit Posts from the Front End user-submitted-posts UX Flat ux-flat Viet contact viet-contact VK Google Job Posting Manager vk-google-job-posting-manager Web Push Notifications – Webpushr webpushr-web-push-notifications weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot wedocs weMail – Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation wemail Wise Analytics wise-analytics Wishlist Member wishlist-member-x Wizit Gateway for WooCommerce wizit-gateway-for-woocommerce Workscout Core workscout-core WP BackItUp Community Edition wp-backitup WP Directory Kit wpdirectorykit WP DSGVO Tools (GDPR) shapepress-dsgvo WP Go Maps (formerly WP Google Maps) wp-google-maps WP Hello Bar wp-hello-bar WP Job Portal – AI-Powered Recruitment System for Company or Job Board website wp-job-portal WP Membership wp-membership WP Term Order wp-term-order WP Travel – Ultimate Travel Booking System, Tour Management Engine wp-travel WP Youtube Video Gallery wp-youtube-video-gallery WP-ClanWars wp-clanwars wpCAS wpcas WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN) wpo365-login Xpro Addons — 140+ Widgets for Elementor xpro-elementor-addons ZT Captcha zt-captcha WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug AdForest adforest CarSpot – Dealership Wordpress Classified Theme carspot Craft | Coffee Shop Cafe Restaurant WordPress craftcoffee DotLife | Coaching Online Courses WordPress dotlife EcoBlue ecoblue enfold enfold Grand Magazine | Blog WordPress grandmagazine Grand Spa | Massage Salon WordPress grandspa Grand Tour | Travel Agency WordPress grandtour Hostiko - Hosting WordPress & WHMCS Theme hostiko Hoteller Booking WordPress hoteller Listihub - Directory Listing WordPress Theme listihub PeakShops - Modern & Multi-Concept WooCommerce Theme peakshops Prowess - Fitness and Gym WordPress Theme prowess Travel Booking WordPress Theme traveler Werkstatt - Creative Portfolio WordPress Theme werkstatt WorkScout - Job Board WordPress Theme workscout Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.5.0 - Unauthenticated Privilege Escalation via Account Takeover 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-15521 Patch Status Patched Published Jan 20, 2026 Affected Software Academy LMS – WordPress LMS Plugin for Complete eLearning Solution Researcher vgo0 More Details > Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-14533 Patch Status Patched Published Jan 19, 2026 Affected Software Advanced Custom Fields: Extended Researcher andrea bocchetti More Details > Booking Activities <= 1.16.44 - Unauthenticated Privilege Escalation 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-67953 Patch Status Patched Published Jan 20, 2026 Affected Software Booking Activities Researcher daroo More Details > Directorist Social Login <= 2.1.1 - Unauthenticated Privilege Escalation 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2026-22337 Patch Status Unpatched Published Jan 20, 2026 Affected Software Directorist Social Login Researcher 0xd4rk5id3 More Details > Hydra Booking <= 1.1.32 - Unauthenticated Privilege Escalation 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-68027 Patch Status Patched Published Jan 21, 2026 Affected Software Hydra Booking — Appointment Scheduling & Booking Calendar Researcher daroo More Details > Kalrav AI Agent <= 2.3.3 - Unauthenticated Arbitrary File Upload via kalrav_upload_file AJAX Action 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13374 Patch Status Unpatched Published Jan 23, 2026 Affected Software Kalrav AI Agent Researcher Ryan Kozak More Details > LA-Studio Element Kit for Elementor <= 1.5.6.3 - Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakit_bkrole parameter 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2026-0920 Patch Status Patched Published Jan 21, 2026 Affected Software LA-Studio Element Kit for Elementor Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)Waris Damkham More Details > LazyTasks <= 1.4.01 - Unauthenticated Privilege Escalation 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-68869 Patch Status Unpatched Published Jan 22, 2026 Affected Software LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart Researcher 0xd4rk5id3 More Details > Movie Booking <= 1.1.5 - Unauthenticated Arbitrary File Deletion 9.1 CVSS Rating Critical (9.1) CVE-ID CVE-2025-67963 Patch Status Patched Published Jan 21, 2026 Affected Software Movie Booking Researcher Phat RiO More Details > Beaver Builder <= 2.9.4.1 - Authenticated (Contributor+) Remote Code Execution 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-69319 Patch Status Patched Published Jan 21, 2026 Affected Software Beaver Builder Page Builder – Drag and Drop Website Builder Researcher Drew Webber (mcdruid) More Details > Creator LMS – The LMS for Creators, Coaches, and Trainers <= 1.1.12 - Missing Authorization to Authenticated (Contributor+) Arbitrary Options Update 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-15347 Patch Status Patched Published Jan 20, 2026 Affected Software Creator LMS – The LMS for Creators, Coaches, and Trainers Researcher Sarawut Poolkhet (MisterHelloz) More Details > Final User <= 1.2.5 - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-69293 Patch Status Unpatched Published Jan 22, 2026 Affected Software Final User Researcher Phat RiO More Details > Hospital Doctor Directory <= 1.3.9 - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-69183 Patch Status Unpatched Published Jan 22, 2026 Affected Software Hospital Doctor Directory Researcher Phat RiO More Details > Institutions Directory <= 1.3.4 - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-69182 Patch Status Unpatched Published Jan 22, 2026 Affected Software Institutions Directory Researcher Phat RiO More Details > Lawyer Directory <= 1.3.3 - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-67966 Patch Status Patched Published Jan 21, 2026 Affected Software Lawyer Directory Researcher Phat RiO More Details > Melapress Role Editor <= 1.1.1 - Improper Authorization to Authenticated (Subscriber+) Privilege Escalation via Secondary Role Assignment 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-14866 Patch Status Patched Published Jan 22, 2026 Affected Software Melapress Role Editor Researcher Sarawut Poolkhet (MisterHelloz) More Details > Membership <= 1.6.4 - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-69292 Patch Status Unpatched Published Jan 22, 2026 Affected Software WP Membership Researcher Phat RiO More Details > Real Homes CRM <= 1.0.0 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-67968 Patch Status Patched Published Jan 21, 2026 Affected Software RealHomes CRM Researcher wackydawg More Details > Xpro Elementor Addons <= 1.4.19.1 - Authenticated (Author+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-69312 Patch Status Patched Published Jan 19, 2026 Affected Software Xpro Addons — 140+ Widgets for Elementor Researcher Mdr More Details > AdForest <= 6.0.11 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67946 Patch Status Patched Published Jan 20, 2026 Affected Software AdForest Researcher João Pedro S Alcântara (Kinorth) More Details > Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy <= 4.2.4 - Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-14977 Patch Status Patched Published Jan 19, 2026 Affected Software Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy Researcher shark3y More Details > EcoBlue <= 1.15 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2026-22338 Patch Status Unpatched Published Jan 21, 2026 Affected Software EcoBlue Researcher Bonds More Details > Listivo Core <= 2.3.77 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67957 Patch Status Patched Published Jan 21, 2026 Affected Software Listivo Core Researcher João Pedro S Alcântara (Kinorth) More Details > MyHome Core <= 4.1.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-67955 Patch Status Patched Published Jan 21, 2026 Affected Software MyHome Core Researcher João Pedro S Alcântara (Kinorth) More Details > Nexter Extension – Site Enhancements Toolkit <= 4.4.6 - Unauthenticated PHP Object Injection via 'nxt_unserialize_replace' 8.1 CVSS Rating High (8.1) CVE-ID CVE-2026-0726 Patch Status Patched Published Jan 20, 2026 Affected Software Nexter Extension – Site Enhancements Toolkit Researcher Webbernaut More Details > PeakShops < 1.5.9 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69322 Patch Status Patched Published Jan 23, 2026 Affected Software PeakShops - Modern & Multi-Concept WooCommerce Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Werkstatt < 4.8.3 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69314 Patch Status Patched Published Jan 19, 2026 Affected Software Werkstatt - Creative Portfolio WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Administrative Shortcodes <= 0.3.4 - Authenticated (Contributor+) Local File Inclusion via 'slug' Shortcode Attribute 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-1257 Patch Status Unpatched Published Jan 23, 2026 Affected Software Administrative Shortcodes Researcher zaim More Details > Coven Core <= 1.3 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-69295 Patch Status Unpatched Published Jan 23, 2026 Affected Software Coven - Furniture Store WooCommerce Theme Researcher Phat RiO More Details > Directorist Booking <= 2.4.1 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-22336 Patch Status Unpatched Published Jan 20, 2026 Affected Software Booking (Reservation & Appointment) Researcher 0xd4rk5id3 More Details > Eventin <= 4.1.1 - Authenticated (Contributor+) PHP Object Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68047 Patch Status Unpatched Published Jan 22, 2026 Affected Software Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) Researcher w41bu1 More Details > Hustle <= 7.8.9.2 - Authenticated (Subscriber+) Arbitrary File Upoload via Module Import 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-0911 Patch Status Patched Published Jan 23, 2026 Affected Software Hustle – Email Marketing, Lead Generation, Optins, Popups Researcher Williwollo (CybrX) More Details > Kentha Elementor Widgets < 3.1 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-24390 Patch Status Patched Published Jan 24, 2026 Affected Software Kentha Elementor Widgets Researcher João Pedro S Alcântara (Kinorth) More Details > Koko Analytics <= 2.1.2 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-22850 Patch Status Patched Published Jan 20, 2026 Affected Software Koko Analytics – Privacy+Friendly statistics for WordPress Researcher Hector Ruiz Ruiz More Details > MailerLite – WooCommerce integration <= 3.1.2 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67945 Patch Status Patched Published Jan 20, 2026 Affected Software MailerLite – WooCommerce integration Researcher NumeX More Details > Omnipress <= 1.6.7 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-24538 Patch Status Unpatched Published Jan 24, 2026 Affected Software Omnipress Researcher theviper17y More Details > Paid Downloads <= 3.15 - Unauthenticated SQL Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68857 Patch Status Unpatched Published Jan 21, 2026 Affected Software Paid Downloads Researcher Abdulsamad Yusuf (0xVenus) More Details > PeakShops <= 1.5.9 - Authenticated (Contributor+) PHP Object Injection 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-69294 Patch Status Patched Published Jan 23, 2026 Affected Software PeakShops - Modern & Multi-Concept WooCommerce Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Prowess <= 2.3 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2026-24531 Patch Status Unpatched Published Jan 25, 2026 Affected Software Prowess - Fitness and Gym WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > BuddyPress <= 14.3.3 - Unauthenticated Arbitrary Shortcode Execution 7.3 CVSS Rating High (7.3) CVE-ID CVE-2024-11976 Patch Status Patched Published Jan 22, 2026 Affected Software BuddyPress Researcher mikemyers More Details > AdForest Elementor <= 3.0.11 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-67947 Patch Status Patched Published Jan 20, 2026 Affected Software AdForest Elementor Researcher João Pedro S Alcântara (Kinorth) More Details > amr cron manager <= 2.3 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-68848 Patch Status Unpatched Published Jan 23, 2026 Affected Software amr cron manager Researcher Skalucy More Details > Dinatur <= 1.18 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-68866 Patch Status Unpatched Published Jan 21, 2026 Affected Software Dinatur Researcher Jarno Vos (jarnovos) More Details > Frontis Blocks <= 1.1.6 - Unauthenticated Server-Side Request Forgery via 'url' Parameter 7.2 CVSS Rating High (7.2) CVE-ID CVE-2026-0807 Patch Status Patched Published Jan 23, 2026 Affected Software Frontis Blocks — Block Library for the Block Editor Researchers Itthidej Aramsri (Boeing777)Vilaysone CHANTHAVONG (0xJ0cKkY) More Details > Grand Tour < 5.6.2 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-67952 Patch Status Patched Published Jan 20, 2026 Affected Software Grand Tour | Travel Agency WordPress Researcher João Pedro S Alcântara (Kinorth) More Details > Homey Core <= 2.4.3 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-67964 Patch Status Patched Published Jan 22, 2026 Affected Software Homey Core Researcher João Pedro S Alcântara (Kinorth) More Details > Hostiko < 94.3.6 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-67949 Patch Status Patched Published Jan 20, 2026 Affected Software Hostiko - Hosting WordPress & WHMCS Theme Researcher João Pedro S Alcântara (Kinorth) More Details > JobWP <= 2.4.5 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-69318 Patch Status Patched Published Jan 21, 2026 Affected Software JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin Researcher daroo More Details > My auctions allegro <= 3.6.32 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-67943 Patch Status Patched Published Jan 19, 2026 Affected Software My auctions allegro Researcher Skalucy More Details > Nelio AB Testing <= 8.1.8 - Authenticated (Editor+) Remote Code Execution 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-67944 Patch Status Patched Published Jan 20, 2026 Affected Software Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization Researcher daroo More Details > NotificationX <= 3.2.0 - Unauthenticated DOM-Based Cross-Site Scripting via 'nx-preview' 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-15380 Patch Status Patched Published Jan 20, 2026 Affected Software NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar Researcher Dmitrii Ignatyev More Details > Poll, Survey & Quiz Maker Plugin by Opinion Stage < 19.6.25 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2019-25297 Patch Status Patched Published Jan 19, 2026 Affected Software Poll, Survey & Quiz Maker Plugin by Opinion Stage Researcher WPscan More Details > Poll, Survey & Quiz Maker Plugin by Opinion Stage < 19.6.25 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID Unknown Patch Status Patched Published Jan 19, 2026 Affected Software Poll, Survey & Quiz Maker Plugin by Opinion Stage Researcher WPscan More Details > Radio Player <= 2.0.91 - Unauthenticated Server-Side Request Forgery 7.2 CVSS Rating High (7.2) CVE-ID CVE-2026-24548 Patch Status Unpatched Published Jan 23, 2026 Affected Software Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player Researcher Nabil Irawan More Details > User Submitted Posts – Enable Users to Submit Posts from the Front End <= 20251210 - Unauthenticated Stored Cross-Site Scripting via Custom Field 7.2 CVSS Rating High (7.2) CVE-ID CVE-2026-0800 Patch Status Patched Published Jan 23, 2026 Affected Software User Submitted Posts – Enable Users to Submit Posts from the Front End Researcher Balamurugan R More Details > WorkScout <= 4.1.07 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-67959 Patch Status Patched Published Jan 21, 2026 Affected Software WorkScout - Job Board WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > WorkScout-Core <= 1.7.06 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-67960 Patch Status Patched Published Jan 21, 2026 Affected Software Workscout Core Researcher João Pedro S Alcântara (Kinorth) More Details > All-in-One Video Gallery <= 4.6.4 - Missing Authorization to Unauthenticated Bunny Stream Video Creation/Deletion 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-14947 Patch Status Patched Published Jan 22, 2026 Affected Software All-in-One Video Gallery Researcher andrea bocchetti More Details > AppExperts <= 1.4.5 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-68881 Patch Status Unpatched Published Jan 22, 2026 Affected Software APPExperts – Mobile App Builder for WordPress | WooCommerce to iOS and Android Apps Researcher Jarno Vos (jarnovos) More Details > Frontis Blocks <= 1.1.5 - Unauthenticated Server-Side Request Forgery 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-68030 Patch Status Patched Published Jan 20, 2026 Affected Software Frontis Blocks — Block Library for the Block Editor Researcher 0xd4rk5id3 More Details > Happy Addons for Elementor <= 3.20.4 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-68999 Patch Status Patched Published Jan 23, 2026 Affected Software Happy Addons for Elementor Researcher knani alaaeddine (iwd) More Details > Nelio Content <= 4.2.0 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2026-24572 Patch Status Unpatched Published Jan 21, 2026 Affected Software Nelio Content – Editorial Calendar & Social Media Auto-Posting Researcher Doan Dinh Van (DinhVan52) More Details > Traveler < 3.2.8 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2026-24367 Patch Status Patched Published Jan 22, 2026 Affected Software Travel Booking WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Ultra Portfolio <= 6.7 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-69180 Patch Status Unpatched Published Jan 21, 2026 Affected Software Ultra Portfolio Researcher Phat RiO More Details > ABG Rich Pins <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-24558 Patch Status Unpatched Published Jan 22, 2026 Affected Software ABG Rich Pins Researcher johska More Details > Administrative Shortcodes <= 0.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'login' and 'logout' Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1099 Patch Status Unpatched Published Jan 23, 2026 Affected Software Administrative Shortcodes Researcher zaim More Details > Alpha Blocks <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'alpha_block_css' Post Meta 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14985 Patch Status Unpatched Published Jan 23, 2026 Affected Software Alpha Blocks Researcher Athiwat Tiprasaharn (Jitlada) More Details > ArtPlacer Widget <= 2.23.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-24555 Patch Status Unpatched Published Jan 22, 2026 Affected Software ArtPlacer Widget Researcher Athiwat Tiprasaharn (Jitlada) More Details > Blockons <= 1.2.15 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-24550 Patch Status Unpatched Published Jan 23, 2026 Affected Software Blockons – Gutenberg blocks for WordPress and WooCommerce websites Researcher theviper17y More Details > Canto Testimonials <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'fx' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1095 Patch Status Unpatched Published Jan 23, 2026 Affected Software Canto Testimonials Researcher theviper17y More Details > CM CSS Columns <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tag' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1098 Patch Status Unpatched Published Jan 23, 2026 Affected Software CM CSS Columns Researcher theviper17y More Details > Enfold <= 7.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68900 Patch Status Unpatched Published Jan 20, 2026 Affected Software enfold Researcher João Pedro S Alcântara (Kinorth) More Details > FlatPM – Ad Manager, AdSense and Custom Code <= 3.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Post Meta 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0690 Patch Status Patched Published Jan 20, 2026 Affected Software FlatPM – Ad Manager, AdSense and Custom Code Researcher Muhammad Yudha - DJ More Details > GZSEO <= 2.0.11 - Authenticated (Contributor+) Authorization Bypass to Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14941 Patch Status Unpatched Published Jan 23, 2026 Affected Software GZSEO Researcher Paolo Tresso More Details > Head Meta Data <= 20251118 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0608 Patch Status Patched Published Jan 20, 2026 Affected Software Head Meta Data Researcher Muhammad Yudha - DJ More Details > LeadBI Plugin for WordPress <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_id' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1189 Patch Status Unpatched Published Jan 23, 2026 Affected Software LeadBI Plugin for WordPress Researcher theviper17y More Details > RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via wp-rss-aggregator Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14745 Patch Status Patched Published Jan 22, 2026 Affected Software RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging Researcher zaim More Details > Schema & Structured Data for WP & AMP <= 1.54 - Authenticated (Contributor+) Stored Cross-Site Scripting via User Custom Schema 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14069 Patch Status Patched Published Jan 22, 2026 Affected Software Schema & Structured Data for WP & AMP Researcher type5afe More Details > ThemeRuby Multi Authors <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'before' and 'after' Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-1097 Patch Status Unpatched Published Jan 23, 2026 Affected Software ThemeRuby Multi Authors – Assign Multiple Writers to Posts Researcher zaim More Details > Tutor LMS BunnyNet Integration <= 1.0.0 - Authenticated (Tutor instructor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-24584 Patch Status Unpatched Published Jan 19, 2026 Affected Software Tutor LMS BunnyNet Integration Researcher Nabil Irawan More Details > Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 6.10.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-15522 Patch Status Patched Published Jan 22, 2026 Affected Software Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin Researcher zaim More Details > UX Flat <= 5.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-24576 Patch Status Unpatched Published Jan 20, 2026 Affected Software UX Flat Researcher theviper17y More Details > VK Google Job Posting Manager <= 1.2.20 - Authenticated (Author+) Stored Cross-Site Scripting via Job Description Field 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12836 Patch Status Unpatched Published Jan 23, 2026 Affected Software VK Google Job Posting Manager Researcher Athiwat Tiprasaharn (Jitlada) More Details > WP DSGVO Tools (GDPR) <= 3.1.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'lw_content_block' Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2026-0914 Patch Status Patched Published Jan 22, 2026 Affected Software WP DSGVO Tools (GDPR) Researcher Muhammad Yudha - DJ More Details > WPO365 <= 40.0 - Authenticated (Subscriber+) Server-Side Request Forgery 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-67961 Patch Status Patched Published Jan 21, 2026 Affected Software WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN) Researcher Phat RiO More Details > CarSpot < 2.4.6 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69317 Patch Status Patched Published Jan 20, 2026 Affected Software CarSpot – Dealership Wordpress Classified Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Craft <= 2.3.6 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68538 Patch Status Patched Published Jan 20, 2026 Affected Software Craft | Coffee Shop Cafe Restaurant WordPress Researcher João Pedro S Alcântara (Kinorth) More Details > DotLife < 4.9.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68520 Patch Status Patched Published Jan 20, 2026 Affected Software DotLife | Coaching Online Courses WordPress Researcher João Pedro S Alcântara (Kinorth) More Details > Easy Theme Options <= 1.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68839 Patch Status Unpatched Published Jan 20, 2026 Affected Software Easy Theme Options Researcher Skalucy More Details > Grand Magazine <= 3.5.7 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69320 Patch Status Patched Published Jan 22, 2026 Affected Software Grand Magazine | Blog WordPress Researcher João Pedro S Alcântara (Kinorth) More Details > Grand Spa <= 3.5.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69321 Patch Status Patched Published Jan 22, 2026 Affected Software Grand Spa | Massage Salon WordPress Researcher João Pedro S Alcântara (Kinorth) More Details > Hoteller < 6.8.9 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68518 Patch Status Patched Published Jan 20, 2026 Affected Software Hoteller Booking WordPress Researcher João Pedro S Alcântara (Kinorth) More Details > iRobots.txt SEO <= 1.1.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68840 Patch Status Unpatched Published Jan 20, 2026 Affected Software iRobots.txt SEO Researcher Skalucy More Details > JustClick registration plugin <= 0.1 - Reflected Cross-Site Scripting via PHP_SELF 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13676 Patch Status Unpatched Published Jan 23, 2026 Affected Software JustClick registration plugin Researcher Abdulsamad Yusuf (0xVenus) More Details > MemberPress Discord Addon <= 1.1.4 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68838 Patch Status Unpatched Published Jan 20, 2026 Affected Software ExpressTechSoftwares Addon for MemberPress and Discord Researcher Skalucy More Details > My Post Order <= 1.2.1.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68004 Patch Status Unpatched Published Jan 19, 2026 Affected Software My Post Order Researcher Skalucy More Details > Ravpage <= 2.33 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68835 Patch Status Unpatched Published Jan 20, 2026 Affected Software ravpage Researcher Skalucy More Details > Save as PDF Plugin by PDFCrowd <= 4.5.5 - Reflected Cross-Site Scripting via options 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-0862 Patch Status Patched Published Jan 24, 2026 Affected Software Save as PDF Plugin by PDFCrowd Researcher Arkadiusz Hydzik More Details > ShoutOut <= 4.0.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68894 Patch Status Unpatched Published Jan 19, 2026 Affected Software ShoutOut Researcher Skalucy More Details > Table of Contents Creator <= 1.6.4.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68836 Patch Status Unpatched Published Jan 19, 2026 Affected Software Table of Contents Creator Researcher Skalucy More Details > TableOn <= 1.0.4.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-69316 Patch Status Patched Published Jan 20, 2026 Affected Software TableOn – WordPress Posts Table Filterable  Researcher Skalucy More Details > Timeline Event History <= 3.2 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2026-1127 Patch Status Unpatched Published Jan 23, 2026 Affected Software Timeline Event History Researcher Arkadiusz Hydzik More Details > wpCAS <= 1.07 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68858 Patch Status Unpatched Published Jan 20, 2026 Affected Software wpCAS Researcher Abdulsamad Yusuf (0xVenus) More Details > AIKTP <= 5.0.04 - Missing Authorization to Authenticated (Subscriber+) Multiple Administrator Actions 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2026-1103 Patch Status Patched Published Jan 23, 2026 Affected Software AIKTP Researcher Osvaldo Noe Gonzalez Del Rio (Os) More Details > Image Photo Gallery Final Tiles Grid <= 3.6.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Gallery Management 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-15466 Patch Status Patched Published Jan 19, 2026 Affected Software Image Photo Gallery Final Tiles Grid Researchers Mohammad Amin Hajian (mamadrce)Pouria Shahba (p0or1ya) More Details > Same Category Posts <= 1.1.19 - Authenticated (Author+) Stored Cross-Site Scripting via Widget Title Placeholder 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-14797 Patch Status Patched Published Jan 23, 2026 Affected Software Same Category Posts Researcher Athiwat Tiprasaharn (Jitlada) More Details > Textmetrics <= 3.6.3 - Authenticated (Subscriber+) Arbitrary Shortcode Execution 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2026-24564 Patch Status Unpatched Published Jan 21, 2026 Affected Software Textmetrics Researcher theviper17y More Details > The Events Calendar <= 6.15.13 - Missing Authorization to Authenticated (Subscriber+) Data Migration Control 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-15043 Patch Status Patched Published Jan 20, 2026 Affected Software The Events Calendar Researcher type5afe More Details > Tutor LMS – eLearning and online course solution <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2026-0548 Patch Status Patched Published Jan 20, 2026 Affected Software Tutor LMS – eLearning and online course solution Researcher type5afe More Details > Alchemist Ajax Upload <= 1.1 - Missing Authorization to Unauthenticated Arbitrary Media File Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14629 Patch Status Unpatched Published Jan 23, 2026 Affected Software Alchemist Ajax Upload Researcher ChamlaVic More Details > BackItUp <= 2.1.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68039 Patch Status Unpatched Published Jan 21, 2026 Affected Software WP BackItUp Community Edition Researcher Legion Hunter More Details > Contact Form 7 GetResponse Extension <= 1.0.8 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24557 Patch Status Unpatched Published Jan 22, 2026 Affected Software Contact Form 7 GetResponse Extension Researcher Nabil Irawan More Details > Custom Fonts – Host Your Fonts Locally <= 2.1.16 - Missing Authorization to Unauthenticated Font Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14351 Patch Status Patched Published Jan 19, 2026 Affected Software Custom Fonts – Host Your Fonts Locally Researcher type5afe More Details > Download After Email <= 2.1.9 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24541 Patch Status Unpatched Published Jan 24, 2026 Affected Software Download After Email – Subscribe & Download Form Plugin Researcher Nabil Irawan More Details > Easy Property Listings <= 3.5.17 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68072 Patch Status Unpatched Published Jan 22, 2026 Affected Software Easy Property Listings Researcher daroo More Details > ElementCamp <= 2.3.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24556 Patch Status Patched Published Jan 22, 2026 Affected Software ElementCamp Researcher Nabil Irawan More Details > Final User <= 1.2.5 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69187 Patch Status Unpatched Published Jan 22, 2026 Affected Software Final User Researcher Phat RiO More Details > Fitness Trainer <= 1.7.1 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69188 Patch Status Unpatched Published Jan 22, 2026 Affected Software Fitness Trainer- Training Membership Plugin Researcher Phat RiO More Details > Hospital Doctor Directory <= 1.3.9 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69186 Patch Status Unpatched Published Jan 22, 2026 Affected Software Hospital Doctor Directory Researcher Phat RiO More Details > Hotel Listing <= 1.4.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69185 Patch Status Unpatched Published Jan 22, 2026 Affected Software Hotel Listings Researcher Phat RiO More Details > Institutions Directory <= 1.3.4 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69184 Patch Status Unpatched Published Jan 22, 2026 Affected Software Institutions Directory Researcher Phat RiO More Details > JobBank <= 1.2.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69189 Patch Status Unpatched Published Jan 22, 2026 Affected Software JobBank - WordPress Job manager plugin Researcher Phat RiO More Details > KiviCare – Clinic & Patient Management System (EHR) <= 3.6.15 - Missing Authorization to Unauthenticated Limited Arbitrary File Upload 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-0927 Patch Status Patched Published Jan 22, 2026 Affected Software KiviCare – Clinic & Patient Management System (EHR) Researcher Sarawut Poolkhet (MisterHelloz) More Details > Lawyer Directory <= 1.3.4 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69181 Patch Status Patched Published Jan 22, 2026 Affected Software Lawyer Directory Researcher Phat RiO More Details > LearnPress – WordPress LMS Plugin <= 4.3.2.4 - Missing Authorization to Unauthenticated Sensitive User Information Disclosure via REST API 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14798 Patch Status Patched Published Jan 19, 2026 Affected Software LearnPress – WordPress LMS Plugin for Create and Sell Online Courses Researcher andrea bocchetti More Details > Listihub <= 1.0.6 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69190 Patch Status Unpatched Published Jan 22, 2026 Affected Software Listihub - Directory Listing WordPress Theme Researcher Phat RiO More Details > ListingHub <= 1.2.7 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69191 Patch Status Unpatched Published Jan 22, 2026 Affected Software ListingHub Researcher Phat RiO More Details > Membership <= 1.6.4 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69193 Patch Status Unpatched Published Jan 22, 2026 Affected Software WP Membership Researcher Phat RiO More Details > Order Listener for WooCommerce <= 3.6.1 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68018 Patch Status Unpatched Published Jan 19, 2026 Affected Software Order Notification for WooCommerce – Get Audio Alert on new Orders Researcher NumeX More Details > PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) <= 1.119.8 - Missing Authorization to Unauthenticated Order Status Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14978 Patch Status Patched Published Jan 19, 2026 Affected Software PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.36 - Missing Authorization to Unauthenticated Arbitrary Comment Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-1036 Patch Status Patched Published Jan 21, 2026 Affected Software Photo Gallery by 10Web – Mobile-Friendly Image Gallery Researcher Moose Love More Details > Pie Register <= 3.8.4.7 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24577 Patch Status Unpatched Published Jan 20, 2026 Affected Software Pie Register – User Registration, Profiles & Content Restriction Researcher Mdr More Details > PostX <= 5.0.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69313 Patch Status Patched Published Jan 19, 2026 Affected Software Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX Researcher MD ISMAIL More Details > Protección de datos – RGPD <= 0.68 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24539 Patch Status Patched Published Jan 24, 2026 Affected Software Protección de datos – RGPD Researcher Nabil Irawan More Details > Real Estate Pro <= 2.1.5 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69192 Patch Status Unpatched Published Jan 22, 2026 Affected Software Real Estate Pro - WordPress Plugin Researcher Phat RiO More Details > Ryviu – Product Reviews for WooCommerce <= 3.1.26 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24562 Patch Status Unpatched Published Jan 22, 2026 Affected Software Ryviu – Product Reviews for WooCommerce Researcher Legion Hunter More Details > Scalenut <= 1.1.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68882 Patch Status Unpatched Published Jan 20, 2026 Affected Software Scalenut Researcher NumeX More Details > SEO Booster <= 6.1.8 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68019 Patch Status Unpatched Published Jan 19, 2026 Affected Software SEO Booster Researcher Legion Hunter More Details > Simply Schedule Appointments <= 1.6.9.15 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69315 Patch Status Patched Published Jan 20, 2026 Affected Software Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin Researcher benzdeus More Details > SumUp Payment Gateway For WooCommerce <= 2.7.9 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24583 Patch Status Unpatched Published Jan 19, 2026 Affected Software SumUp Payment Gateway For WooCommerce Researcher Legion Hunter More Details > Tabby Checkout <= 5.8.4 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68035 Patch Status Patched Published Jan 21, 2026 Affected Software Tabby Checkout Researcher benzdeus More Details > TaxCloud for WooCommerce <= 8.3.8 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67958 Patch Status Patched Published Jan 21, 2026 Affected Software TaxCloud for WooCommerce Researcher Legion Hunter More Details > Travel <= 11.1.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24568 Patch Status Unpatched Published Jan 21, 2026 Affected Software WP Travel – Ultimate Travel Booking System, Tour Management Engine Researcher Nabil Irawan More Details > UPI QR Code Payment Gateway for WooCommerce <= 1.5.1 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67969 Patch Status Patched Published Jan 23, 2026 Affected Software UPI QR Code Payment Gateway for WooCommerce Researcher NumeX More Details > User Registration <= 4.4.6 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67956 Patch Status Patched Published Jan 21, 2026 Affected Software User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin Researcher Mdr More Details > WANotifier <= 2.7.12 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68020 Patch Status Unpatched Published Jan 20, 2026 Affected Software Send Notifications from Woocommerce, Form Plugins and More! Researcher Legion Hunter More Details > Webpushr <= 4.38.0 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-24536 Patch Status Unpatched Published Jan 25, 2026 Affected Software Web Push Notifications – Webpushr Researcher Trương Hữu Phúc (truonghuuphuc) More Details > weMail <= 2.0.7 - Insufficient Authorization via x-wemail-user Header to Sensitive Information Disclosure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14348 Patch Status Patched Published Jan 19, 2026 Affected Software weMail – Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation Researcher shark3y More Details > Wise Analytics <= 1.1.9 - Missing Authorization to Unauthenticated Arbitrary Analytics Database Disclosure via 'name' Parameter 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14609 Patch Status Unpatched Published Jan 23, 2026 Affected Software Wise Analytics Researcher Lior Yeshayahu More Details > Wizit Gateway for WooCommerce <= 1.2.9 - Missing Authentication to Unauthenticated Arbitrary Order Cancellation 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14843 Patch Status Unpatched Published Jan 23, 2026 Affected Software Wizit Gateway for WooCommerce Researcher MD. TAREQ AHAMED JONY (itztrq) More Details > WP Directory Kit <= 1.4.9 - Unauthenticated Email Exposure via wdk_public_action 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13920 Patch Status Patched Published Jan 23, 2026 Affected Software WP Directory Kit Researcher Sarawut Poolkhet (MisterHelloz) More Details > WP Go Maps (formerly WP Google Maps) <= 10.0.04 - Missing Authorization to Authenticated (Subscriber+) Map Engine Setting Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2026-0593 Patch Status Patched Published Jan 24, 2026 Affected Software WP Go Maps (formerly WP Google Maps) Researcher Moose Love More Details > WP-ClanWars <= 2.0.1 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2026-0806 Patch Status Unpatched Published Jan 23, 2026 Affected Software WP-ClanWars Researcher 0x34rth More Details > Cookie consent for developers <= 1.7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Multiple Settings Fields 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-1084 Patch Status Unpatched Published Jan 23, 2026 Affected Software Cookie consent for developers Researcher 0x34rth More Details > JavaScript Notifier <= 1.2.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-1191 Patch Status Unpatched Published Jan 23, 2026 Affected Software JavaScript Notifier Researcher 0x34rth More Details > Meta-box GalleryMeta <= 3.0.1 - Authenticated (Editor+) Stored Cross-Site Scripting via Image Caption 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-1302 Patch Status Unpatched Published Jan 23, 2026 Affected Software Meta-box GalleryMeta Researcher Kazuma Matsumoto More Details > Postalicious <= 3.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-1266 Patch Status Unpatched Published Jan 23, 2026 Affected Software Postalicious Researcher 0x34rth More Details > Responsive Header Plugin <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Parameters 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-1300 Patch Status Unpatched Published Jan 23, 2026 Affected Software Responsive Header Plugin Researcher 0x34rth More Details > Viet contact <= 1.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'll1', 'll2', 'll3', and 'll4' Parameters 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-1045 Patch Status Unpatched Published Jan 19, 2026 Affected Software Viet contact Researcher 0x34rth More Details > WP Hello Bar <= 1.02 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'digit_one' and 'digit_two' Parameters 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2026-1042 Patch Status Unpatched Published Jan 19, 2026 Affected Software WP Hello Bar Researcher 0x34rth More Details > Admin login URL Change <= 1.1.5 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24578 Patch Status Unpatched Published Jan 20, 2026 Affected Software Admin login URL Change Researcher Mohamad Fattyr More Details > AdminQuickbar <= 1.9.3 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14630 Patch Status Unpatched Published Jan 23, 2026 Affected Software AdminQuickbar Researcher Lior Yeshayahu More Details > Ai Image Alt Text Generator for WP <= 1.1.9 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24579 Patch Status Unpatched Published Jan 20, 2026 Affected Software Ai Image Alt Text Generator for WP Researcher Nabil Irawan More Details > Alex User Counter <= 6.0 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1070 Patch Status Unpatched Published Jan 23, 2026 Affected Software Alex User Counter Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > All-in-One Video Gallery 4.1.0 - 4.6.4 - Missing Authorization to Authenticated (Subscriber+) Limited User Meta Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-15516 Patch Status Patched Published Jan 23, 2026 Affected Software All-in-One Video Gallery Researcher kr0d More Details > Anything Order by Terms <= 1.4.0 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24567 Patch Status Unpatched Published Jan 21, 2026 Affected Software Anything Order by Terms Researcher Nabil Irawan More Details > Automatic Featured Images from Videos <= 1.2.7 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24535 Patch Status Patched Published Jan 25, 2026 Affected Software Automatic Featured Images from Videos Researcher Nabil Irawan More Details > B Accordion <= 2.0.0 - Authenticated (Contributor+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24565 Patch Status Unpatched Published Jan 21, 2026 Affected Software Accordion – Add Horizontal / Vertical Accordion in WP Researcher theviper17y More Details > Bookingor <= 1.0.12 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12573 Patch Status Unpatched Published Jan 20, 2026 Affected Software Bookingor – Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings Researcher Khaled Alenazi (Nxploited) More Details > Booter <= 1.5.7 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24534 Patch Status Unpatched Published Jan 25, 2026 Affected Software Booter – Bots & Crawlers Manager Researcher Nabil Irawan More Details > BOX NOW Delivery <= 3.0.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24571 Patch Status Unpatched Published Jan 21, 2026 Affected Software BOX NOW Delivery Researcher Nabil Irawan More Details > Broadstreet Ads <= 1.52.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69311 Patch Status Patched Published Jan 19, 2026 Affected Software Broadstreet Researcher Que Thanh Tuan More Details > Cloudinary <= 3.3.0 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24560 Patch Status Unpatched Published Jan 22, 2026 Affected Software Cloudinary – Deliver Images and Videos at Scale Researcher Nabil Irawan More Details > Contact Form & Lead Form Elementor Builder <= 2.0.1 - Authenticated (Subscriber+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68046 Patch Status Unpatched Published Jan 20, 2026 Affected Software Responsive Contact Form Builder & Lead Generation Plugin Researcher benzdeus More Details > CubeWP – All-in-One Dynamic Content Framework <= 1.1.27 - Unauthenticated Post Disclosure in class-cubewp-search-ajax-hooks.php 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-6461 Patch Status Patched Published Jan 24, 2026 Affected Software CubeWP Framework Researcher stealthcopter More Details > Ecwid Shopping Cart <= 7.0.5 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24580 Patch Status Unpatched Published Jan 19, 2026 Affected Software Ecwid by Lightspeed Ecommerce Shopping Cart Researcher Rapid0nion More Details > Edwiser Bridge <= 4.3.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24570 Patch Status Unpatched Published Jan 21, 2026 Affected Software Edwiser Bridge – WordPress Moodle Integration Researcher Nabil Irawan More Details > FluentBoards <= 1.91.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24561 Patch Status Patched Published Jan 22, 2026 Affected Software FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration Researcher Nabil Irawan More Details > Fraud Prevention For Woocommerce <= 2.3.1 - Authenticated (Subscriber+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24553 Patch Status Unpatched Published Jan 22, 2026 Affected Software Fraud Prevention For WooCommerce and EDD Researcher Jarno Vos (jarnovos) More Details > Friendly Functions for Welcart <= 1.2.5 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1208 Patch Status Patched Published Jan 23, 2026 Affected Software Friendly Functions for Welcart Researcher Kai Aizen More Details > GDPR CCPA Compliance Support <= 2.7.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68073 Patch Status Patched Published Jan 19, 2026 Affected Software GDPR CCPA Compliance & Cookie Consent Banner Researcher Nabil Irawan More Details > GeoDirectory <= 2.8.149 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24549 Patch Status Patched Published Jan 23, 2026 Affected Software GeoDirectory – WP Business Directory Plugin and Classified Listings Directory Researcher Trương Hữu Phúc (truonghuuphuc) More Details > HD Quiz <= 2.0.9 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24544 Patch Status Unpatched Published Jan 24, 2026 Affected Software HD Quiz Researcher Nabil Irawan More Details > Hospital Doctor Directory <= 1.3.9 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68057 Patch Status Unpatched Published Jan 22, 2026 Affected Software Hospital Doctor Directory Researcher Phat RiO More Details > Hotel Listing <= 1.4.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68059 Patch Status Unpatched Published Jan 22, 2026 Affected Software Hotel Listings Researcher Phat RiO More Details > iNET Webkit <= 1.2.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24566 Patch Status Unpatched Published Jan 21, 2026 Affected Software iNET Webkit Researcher theviper17y More Details > Institutions Directory <= 1.3..4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68058 Patch Status Unpatched Published Jan 22, 2026 Affected Software Institutions Directory Researcher Phat RiO More Details > Integrate Google Drive <= 1.5.6 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24540 Patch Status Unpatched Published Jan 24, 2026 Affected Software File Manager for Google Drive – Integrate Google Drive Researcher Nabil Irawan More Details > Integration for Contact Form 7 HubSpot <= 1.4.3 - Authenticated (Subscriber+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24559 Patch Status Patched Published Jan 22, 2026 Affected Software Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms Researcher Nabil Irawan More Details > Job Portal <= 2.4.3 - Authenticated (Subscriber+) Insecure Direct Object Reference 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24379 Patch Status Patched Published Jan 24, 2026 Affected Software WP Job Portal – AI-Powered Recruitment System for Company or Job Board website Researcher Nabil Irawan More Details > Lawyer Directory <= 1.3.3 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67967 Patch Status Patched Published Jan 22, 2026 Affected Software Lawyer Directory Researcher Phat RiO More Details > LifePress <= 2.2.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24563 Patch Status Unpatched Published Jan 22, 2026 Affected Software LifePress Researcher Doan Dinh Van (DinhVan52) More Details > Login Page Editor <= 1.2 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1088 Patch Status Unpatched Published Jan 23, 2026 Affected Software Login Page Editor Researcher afnaan More Details > Materialis Companion <= 1.3.52 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24543 Patch Status Unpatched Published Jan 24, 2026 Affected Software Materialis Companion Researcher Nabil Irawan More Details > Media Library File Size <= 1.6.7 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24569 Patch Status Patched Published Jan 21, 2026 Affected Software Media Library File Size Researcher Nabil Irawan More Details > Meta-box GalleryMeta <= 3.0.1 - Missing Authorization to Authenticated (Author+) Gallery Management 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-0687 Patch Status Unpatched Published Jan 23, 2026 Affected Software Meta-box GalleryMeta Researcher Kazuma Matsumoto More Details > Moderate Selected Posts <= 1.4 - Cross-Site Request Forgery to Plugin Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14907 Patch Status Unpatched Published Jan 23, 2026 Affected Software Moderate Selected Posts Researcher afnaan More Details > Monetag Official <= 1.1.3 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24551 Patch Status Unpatched Published Jan 23, 2026 Affected Software Monetag Official Plugin Researcher Nabil Irawan More Details > Newsletter – Send awesome emails from WordPress <= 9.1.0 - Cross-Site Request Forgery to Newsletter Unsubscription 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1051 Patch Status Patched Published Jan 19, 2026 Affected Software Newsletter – Send awesome emails from WordPress Researchers Sergej LjubojevicBoris Bogosavac More Details > NotificationX <= 3.1.11 - Missing Authorization to Authenticated (Contributor+) Analytics Reset 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-0554 Patch Status Patched Published Jan 20, 2026 Affected Software NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar Researcher Dmitrii Ignatyev More Details > Points and Rewards for WooCommerce <= 2.9.5 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24581 Patch Status Patched Published Jan 19, 2026 Affected Software Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, User Badges, Gamification Researcher Rapid0nion More Details > Set Bulk Post Categories <= 1.1 - Cross-Site Request Forgery to Bulk Post Category Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1081 Patch Status Unpatched Published Jan 23, 2026 Affected Software Set Bulk Post Categories Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Simple Crypto Shortcodes <= 1.0.2 - Cross-Site Request Forgery to Plugin Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14903 Patch Status Unpatched Published Jan 23, 2026 Affected Software Simple Crypto Shortcodes Researcher afnaan More Details > SiteLock Security <= 5.0.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24532 Patch Status Unpatched Published Jan 25, 2026 Affected Software SiteLock Security – WP Hardening, Login Security & Malware Scans Researcher Nabil Irawan More Details > Star Review Manager <= 1.2.2 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1076 Patch Status Unpatched Published Jan 23, 2026 Affected Software Star Review Manager Researcher afnaan More Details > SurveyJS: Drag & Drop WordPress Form Builder <= 1.12.20 - Cross-Site Request Forgery to Survey Creation 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13139 Patch Status Unpatched Published Jan 23, 2026 Affected Software SurveyJS: Drag & Drop Form Builder Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 1.12.20 - Cross-Site Request Forgery to Survey Cloning 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13205 Patch Status Unpatched Published Jan 23, 2026 Affected Software SurveyJS: Drag & Drop Form Builder Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 1.12.20 - Cross-Site Request Forgery to Survey Renaming 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13194 Patch Status Unpatched Published Jan 23, 2026 Affected Software SurveyJS: Drag & Drop Form Builder Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Term Order <= 2.1.0 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24542 Patch Status Unpatched Published Jan 24, 2026 Affected Software WP Term Order Researcher Nabil Irawan More Details > weDocs <= 2.1.16 - Missing Authorization to Authenticated (Subscriber+) Documentation Post Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13921 Patch Status Patched Published Jan 22, 2026 Affected Software weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot Researcher blue0x1 More Details > WishList Member X <= 3.29.0 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-24575 Patch Status Unpatched Published Jan 20, 2026 Affected Software Wishlist Member Researcher 0xd4rk5id3 More Details > WP Youtube Video Gallery <= 1.0 - Cross-Site Request Forgery to Plugin Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14906 Patch Status Unpatched Published Jan 23, 2026 Affected Software WP Youtube Video Gallery Researcher afnaan More Details > ZT Captcha <= 1.0.4 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2026-1075 Patch Status Unpatched Published Jan 23, 2026 Affected Software ZT Captcha Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor <= 4.1.0 - Unauthenticated Form Submission Exposure via Forgeable Cookie Value 3.7 CVSS Rating Low (3.7) CVE-ID CVE-2026-0633 Patch Status Patched Published Jan 23, 2026 Affected Software MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor Researcher type5afe More Details > Salon booking system <= 10.30.3 - Authenticated (Subscriber+) Information Exposure 3.1 CVSS Rating Low (3.1) CVE-ID CVE-2025-67954 Patch Status Patched Published Jan 21, 2026 Affected Software Salon Booking System – Free Version Researcher daroo More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 19, 2026 to January 25, 2026) appeared first on Wordfence.